The keynote at S4, like many aspects of the event, is different than most control system events. Rather than picking a big name in the SCADA security world, we bring in someone outside the control system community to introduce a concept that the community should start thinking about. Last year it was Ross Anderson on the economics of security. Two years ago we had Steve Lipner explain Microsoft’s Security Development Lifecycle and Dave Aitel talk about how an elite hacking team would approach a new, unknown system. An our inaugural keynoter was Whit Diffie who talked about how the crypto community developed.

The keynote for S4 2010 is Kris Harms from Mandiant who will talk about a type of threat that has important ramifications for critical infrastructure control systems, Advanced Persistent Threat [APT]. There is increasing evidence and case studies of attackers who expend great effort getting into an organization’s network and thoroughly compromising it. If they are discovered with one type of exploit in one or more systems, and this compromise is addressed, they are still able to use many other types of compromise to maintain their presence and ability to do damage to the system literally for years. You think you are rid of them, but they are still there. Many of the attacks and compromises and backdoors are custom developed and extremely hard to detect.

Another important aspect of the APT is the damage caused over years of compromise is often difficult to detect or non-existent. In many cases the very thorough compromise of a network has not yet inflicted any damage. The adversary wants the ability to do something and spends a lot of time to create and maintain this weapon, but chooses not to use it yet. In other cases, the damage such as financial loss or intellectual property pilfering is done in such a stealthy way that a cyber attack is not considered the cause.

I’m sure loyal blog readers see how this can apply to control systems. Most of what we hear about in actual control system incidents and most likely threat agent to control systems are malware, script kiddies, disgruntled insiders, … But it is easy to think of scenarios where some nation state or non-state actor would like to have the ability to take out a countries critical infrastructure at the time of their choosing. The APT concept seems to us the way a technically advanced, well funded, and patient threat agent would do this. We need to understand better how this is being done today, how it is being detected and how to respond.

APT is real and happening, and Kris will discuss real world examples including not just the timelines, motives and impacts, but also the technical details of how they did it. How they maintained their persistence even after discovery and apparent eradication from the networks.

Kris Harms is a Principal Consultant at Mandiant with extensive experience investigating and resolving high risk computer security incidents. He has responded to intrusions for Fortune 100 companies, e-commerce sites and financial institutions. He has also supported multiple counter-intelligence intrusion investigations for several government entities. A frequent industry speaker and instructor, Mr. Harms has appeared on the CBS News program 60 Minutes and PBS’s Wealth and Wisdom.

I have to give a big thanks and hat tip to Richard Bejtlich, see taosecurity.blogspot.com. . He introduced me to APT and helped identify the best speaker on this topic.